-
Notifications
You must be signed in to change notification settings - Fork 11
/
panther-cloudwatch-events.yml
133 lines (123 loc) · 4.23 KB
/
panther-cloudwatch-events.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
# Copyright (C) 2022 Panther Labs, Inc.
#
# The Panther SaaS is licensed under the terms of the Panther Enterprise Subscription
# Agreement available at https://panther.com/enterprise-subscription-agreement/.
# All intellectual property rights in and to the Panther SaaS, including any and all
# rights to access the Panther SaaS, are governed by the Panther Enterprise Subscription Agreement.
AWSTemplateFormatVersion: 2010-09-09
Description: >
This stack configures Panther's real-time CloudWatch Event collection.
It works by creating CloudWatch Event rules which feed to Panther's SQS Queue proxied by
a local SNS topic in each region.
Parameters:
SnsTopicName:
Type: String
Description: The name of the new SNS Topic to create for receiving CloudWatch events
Default: panther-cloudwatch-events-topic
SnsEventsCmkMgmtRoleArn:
Type: String
Description: The ARN of the role that manages the KMS CMK used by the SNS topic
Default: ''
# Defaults to :root (all identities) in satellite account
# To restrict access to the key, use an existing role (not managed by this template)
# to manage the KMS CMK used by the SNS topic
# Unless you use a dedicated key management role, this will be the role
# you use in the AWS console or the role used in your template deployment
# pipeline
MasterAccountId:
Type: String
Description: The AWS Account ID of the Panther deployment
QueueArn:
Type: String
Description: The Panther SQS Queue Arn to receive CloudWatch Events via SNS
Conditions:
MgmtRoleProvided: !Not [!Equals ['', !Ref SnsEventsCmkMgmtRoleArn]]
Resources:
# SNS Topic, Policy, KMS CMK, and Subscription to SQS
PantherEventsTopic:
Type: AWS::SNS::Topic
Properties:
TopicName: !Ref SnsTopicName
KmsMasterKeyId: !Ref PantherEventsKey
TopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: CloudWatchEventsPublish
Effect: Allow
Principal:
Service: events.amazonaws.com
Action: sns:Publish
Resource: !Ref PantherEventsTopic
- Sid: CrossAccountSubscription
Effect: Allow
Principal:
AWS: !Sub arn:${AWS::Partition}:iam::${MasterAccountId}:root
Action: sns:Subscribe
Resource: !Ref PantherEventsTopic
Topics:
- !Ref PantherEventsTopic
PantherEventsKey:
Type: AWS::KMS::Key
Properties:
Description: The Panther CloudWatch events customer-managed CMK
KeyPolicy:
Version: '2012-10-17'
Id: panther-events-cmk
Statement:
- Sid: EventBridgeSNSPublish
Effect: Allow
Principal:
Service: events.amazonaws.com
Action:
- kms:GenerateDataKey
- kms:Decrypt
Resource: '*'
- Sid: KeyManagement
Effect: Allow
Principal:
AWS: !If
- MgmtRoleProvided
- !Ref SnsEventsCmkMgmtRoleArn
- !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root
Action:
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kms:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:ScheduleKeyDeletion
- kms:CancelKeyDeletion
- kms:TagResource
- kms:UntagResource
Resource: '*'
PantherEventsKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/panther-events
TargetKeyId: !Ref PantherEventsKey
QueueSubscription:
Type: AWS::SNS::Subscription
Properties:
Endpoint: !Ref QueueArn
Protocol: sqs
RawMessageDelivery: true
TopicArn: !Ref PantherEventsTopic
CloudTrailRule:
Type: AWS::Events::Rule
Properties:
Description: Collect CloudTrail API calls.
EventPattern:
detail-type:
- AWS API Call via CloudTrail
State: ENABLED
Targets:
- Arn: !Ref PantherEventsTopic
Id: panther-collect-cloudtrail-events